The result of this exercise was the development of KPIs that organizations can use to measure the effectiveness of their security program. In the previous post, I identified and discussed the first two KPIs. In this second post, I will cover the final two key performance indicators.

We explored ways to increase confidence that usernames and passwords being leveraged in the environment are, in fact, being used by their rightful owners and not nefarious actors. We discussed how to make changes to Active Directory in order to prevent or limit password theft, and pass the hash attacks. In addition to the options we discussed in our last post, two-factor authentication is a wonderful form of protection.

This indicator explored ways to ensure confidence in the systems that users leverage. We discussed patching cycles, application whitelisting, and host isolation. I also covered how to measure the success of this KPI and showed what a sample report may look like.

While we’ve set a solid foundation for our security program, there are still weaknesses that need to be addressed. Based on the sample controls I’ve addressed thus far, there is still the potential for an attacker to harvest credentials from each user they compromise. To recap, an attacker should not be able to harvest cached credentials from desktops, but unfortunately, mobile workers with laptops still are at risk.

Unless the attacker is fortunate enough to locate the data on the victim’s laptop, they will need to move across the network. So, what systems will attackers target and how will they gain access to these systems?The easiest way for attackers to gain access to data is via a file sharing protocol. The easiest way for attackers to gain access to data is via a file sharing protocol. Click To Tweet Unfortunately, these protocols have minimal security controls; to date, there’s no way to enable 2FA on a native SMB or NFS share.

So if our attacker has access to a remote workers laptop, how will they gain access to corporate data? One of the most commonly used attack tools to accomplish this is an application called Metasploit.

We’ll cover two tools commonly used:

1. psexec

2. smb_login

These two tools are by no means the only way of accomplishing this. You can use Python or PowerShell to accomplish the same task; however, the attack process is easiest to illustrate with the two utilities we’re mentioning here. Also, the method to detect these actions are the same for any tool the attacker may use.

Psexec is a tool Windows administrators may be familiar with. You can see the commands that need to be executed in order to gain access to a victim shell on a remote system.

Notice the line that reads: msf exploit (psexec) > set SMBPass e52cac67419…

The long string of alphanumeric characters shown here are the same pieces of information that an attacker was able to gain using the hashdump or run hashdump commands. But this particular method of trying to access other systems isn’t as effective as it could be. What if there was a way for an attacker to simply scan an entire network leveraging this technique? This is where the Metasploit module smb_login comes into play:

msf >use auxiliary/scanner/smb/smb_loginmsf auxiliary(smb_login) >show optionsModule options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- ----------- ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DETECT_ANY_AUTH true no Enable detection of systems accepting any authentication
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attemptsmsf auxiliary(smb_login) >set RHOSTS 192.168.1.0/24RHOSTS => 192.168.1.0/24msf auxiliary(smb_login) >set SMBUser victimSMBUser => victim
msf auxiliary(smb_login) >set SMBPass s3cr3tSMBPass => s3cr3t
msf auxiliary(smb_login) >set THREADS 50THREADS => 50msf auxiliary(smb_login) >run[*]192.168.1.100 - FAILED 0xc000006d - STATUS_LOGON_FAILURE[*]192.168.1.111 - FAILED 0xc000006d - STATUS_LOGON_FAILURE[*] 192.168.1.114 - FAILED 0xc000006d - STATUS_LOGON_FAILURE[*] 192.168.1.125 - FAILED 0xc000006d - STATUS_LOGON_FAILURE[*] 192.168.1.116 - SUCCESSFUL LOGIN (Unix)[*]Auxiliary module execution completedmsf auxiliary(smb_login) >

If you notice towards the bottom of these screen captures there are two commands of interest:

msf auxiliary(smb_login) > set RHOSTS 192.168.1.0/24

msf auxiliary(smb_login) > set SMBPass s3cr3t

Notice two things

1. The attacker can set a subnet mask to scan as noted by set RHOSTS 192.168.1.0/24.

2. The attacker is using a plain text password; however, you can also use a recovered password hash with this exploit as well.

This is a pivotal moment for an attacker. They have a shell on the victim host, a valid username, and password hash. They are scanning a large segment of your environment in an attempt to gain access to potentially critical systems. The scariest part about this process is that generally there will be no warnings from your IDS/IPS systems, your SIEM tools, and your end users will not notice any suspicious behavior because the attacker is using valid credentials. This is one of the worst possible scenarios an organization can be in.

So, how do we protect ourselves against this situation, and how do we measure how well our security program is executing on that protection?

3. Minimization of Lateral Movement

The goal of KPI three is to measure how much we can minimize all available lateral movement throughout the organization’s network. This is where smart security policies and technical controls intersect. Since we’ve seen that the majority of attacks enter the organization through endpoint systems, we should establish policies that do not allow the following types of activities:

1. Ping scans from unapproved LAN hosts

2.Port scans from unapproved LAN hosts (TCP & UDP)

3. SMB sharing between LAN users

4. Any other activity that would require endpoints to engage in peer-to-peer communication

For example, if an organization wants to enable file sharing between users, all file sharing should be done from a server within the data center. Users should not be allowed to enable and share files off of their endpoints, and users should not engage in network scanning of any kind. If we have these policies in place, when attackers engage in scanning activities it can be easily detected. How is this activity detected? Through several options, each with their own pros and cons.

If you have a limited budget, the most cost effective (but primitive) method is to implement Private VLANs (PVLAN) on your LAN segments. You can then enable an access control list on those ports that are members of the PVLAN. If you’re unfamiliar with PVLANs, the graphic below, taken from Cisco’s website, illustrates how a private VLAN works:

When you leverage isolated PVLANs, systems attached to the ports are simply not able to communicate amongst themselves. As previously mentioned, you place an access control list (ACL) on ports for violations of those controls. ACL violations should be forwarded to your SIEM tool of choice. Any violation should be investigated immediately, as it is an indicator of lateral movement on the network. If you have a larger budget, you could implement a solution like Cisco’s Stealthwatch.

Stealthwatch is a netflow visibility tool; netflow consists of metadata about traffic flows in an environment. That metadata can also alert us to lateral movement an attacker may attempt. Where a simple PVLAN access list violation tells us something bad has happened, a tool like Stealthwatch can provide much greater visibility about what actually occurred. Alarms can be set as thresholds of activity are breached. Netflow data can also provide information about application use that may violate policy, such as streaming video or music.

Finally, there are additional micro-segmentation techniques for the data center and LAN such as: VMware’s NSX, Cisco’s ACI and ISE platforms. Each of these subjects could fill an entire blog post, but if you are thinking of building a more robust security program they are definitely worth investigating.

As we’re finishing our 3rd KPI, we should take stock on the working room attackers have within our environment:

The attacker should be limited to a single valid username and password hash

The attacker cannot actively scan the local subnet or any other subnets protected by private VLANs or other network visibility tools

This situation leaves the attacker a very narrow window of opportunity, but we should seek to close the gap. The attacker could be fortunate and the endpoint they compromised could have mapped SMB shares that contain sensitive data. What is our course of action at this point?

4. Percent of Sensitive Data Monitored for Anomalous Access

I’m a realist. It’s very difficult to stop an attacker once they’ve gained access to your file shares with valid user credentials, but we shouldn’t give up. There are at least two things we can do in this situation that can give us an opportunity to discover an attacker. Again, I will present two options: one for organizations that may not have a large security budget, and a second for organizations with larger budgets.

Setup “honey shares” on file shares with sensitive information

Monitor successful file access and alert on the most sensitive data

Implement a technology that analysis file access behaviors, and will alert on deviation

The first two options can be implemented free of cost. Some people would consider my term “honey share” as a honey pot. The term used is unimportant, what is important, however, is that the advantage we have here over the attacker is that they will have to look for data on file shares in order to locate their objective. If you place what appears to be a juicy target on a file share, an attacker will most likely attempt to read the files. Within Windows you can enable the successful access of files. Note this WILL cause a massive amount of events in event viewer, but if you set up a “honey share” no valid user should be accessing it. At a high level you need to do two things to set up object access auditing.

First, enable auditing on the folder, subfolders, and files that are sensitive, as shown above.

Second, you have to enable audit object access within group policy and ensure it’s applied to the correct systems. The same tactic can be used on a highly sensitive file share, but the amount of generated audit logs will be significant. These audit logs can be forwarded to a system like Splunk, which will summarize alerts for you. This will be helpful to reduce the volume of alerts that will be created, but to monitor all legitimate file access manually will be an intensive process. In order to reduce this burden, there are pay for products on the market that will attempt to learn user access patterns, only alerting when they believe there’s been a change in access that warrants investigation.

One of the products that performs this type of action is Varonis’s Datadvantage. Datadvantage builds a model of regular access from all your users, and will report any perceived malicious activity. Datadvantage has capabilities to scan SMB or NFS shares and report where potentially sensitive information resides. Datadvantage can also provide you with information, such as last access time, so you can start to delete old information. This reduces the amount of data available for attackers to steal, therefore reducing your risk level.

In review, we covered why we selected our KPIs — they were based on the most likely actions an attacker will take during a data breach, according to relevant security reports by Verizon, Mandiant, and Cisco.

Our objective was to protect:

Accounts representing authorized users

The systems those users are accessing

The network systems use to pass data

Types of data users access in order to complete work

There are certainly other security measures that organizations can put in place, but ultimately they will be protecting one of these four core areas within the data ecosystem.

For a final review, I’ve outlined 4 KPIs that can be used to measure the success of our security program:

1. Confidence Level in Account Validity

2. Confidence in System Control

3. Minimization of Lateral Movement

4. Percent of Sensitive Data Monitored for Anomalous Access

When executives begin monitoring and measuring these four key areas, they can start to gain confidence that the security organization is operating effectively. If any one of these pillars is lacking, attackers gain movement room within an organization.

Steven is an enterprise architect with a strong client focus. His operations experience spans over 15 years. This translates into an understanding of the daily challenges for IT teams. In addition to traditional data center technologies, he also has a wide range of security and compliance experience.